xref: /freebsd/sys/dev/usb/usb_msctest.c (revision 4fbb9c43aa44d9145151bb5f77d302ba01fb7551)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2008-2022 Hans Petter Selasky.
5  * Copyright (c) 2021-2022 Idwer Vollering.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  */
28 
29 /*
30  * The following file contains code that will detect USB autoinstall
31  * disks.
32  */
33 
34 #ifdef USB_GLOBAL_INCLUDE_FILE
35 #include USB_GLOBAL_INCLUDE_FILE
36 #else
37 #include <sys/stdint.h>
38 #include <sys/stddef.h>
39 #include <sys/param.h>
40 #include <sys/queue.h>
41 #include <sys/types.h>
42 #include <sys/systm.h>
43 #include <sys/kernel.h>
44 #include <sys/bus.h>
45 #include <sys/module.h>
46 #include <sys/lock.h>
47 #include <sys/mutex.h>
48 #include <sys/condvar.h>
49 #include <sys/sysctl.h>
50 #include <sys/sx.h>
51 #include <sys/unistd.h>
52 #include <sys/callout.h>
53 #include <sys/malloc.h>
54 #include <sys/priv.h>
55 
56 #include <dev/usb/usb.h>
57 #include <dev/usb/usbdi.h>
58 #include <dev/usb/usbdi_util.h>
59 
60 #define	USB_DEBUG_VAR usb_debug
61 
62 #include <dev/usb/usb_busdma.h>
63 #include <dev/usb/usb_process.h>
64 #include <dev/usb/usb_transfer.h>
65 #include <dev/usb/usb_msctest.h>
66 #include <dev/usb/usb_debug.h>
67 #include <dev/usb/usb_device.h>
68 #include <dev/usb/usb_request.h>
69 #include <dev/usb/usb_util.h>
70 #include <dev/usb/quirk/usb_quirk.h>
71 #endif			/* USB_GLOBAL_INCLUDE_FILE */
72 
73 enum {
74 	ST_COMMAND,
75 	ST_DATA_RD,
76 	ST_DATA_RD_CS,
77 	ST_DATA_WR,
78 	ST_DATA_WR_CS,
79 	ST_STATUS,
80 	ST_MAX,
81 };
82 
83 enum {
84 	DIR_IN,
85 	DIR_OUT,
86 	DIR_NONE,
87 };
88 
89 #define	SCSI_MAX_LEN	MAX(SCSI_FIXED_BLOCK_SIZE, USB_MSCTEST_BULK_SIZE)
90 #define	SCSI_INQ_LEN	0x24
91 #define	SCSI_SENSE_LEN	0xFF
92 #define	SCSI_FIXED_BLOCK_SIZE 512	/* bytes */
93 
94 static uint8_t scsi_test_unit_ready[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
95 static uint8_t scsi_inquiry[] = { 0x12, 0x00, 0x00, 0x00, SCSI_INQ_LEN, 0x00 };
96 static uint8_t scsi_rezero_init[] =     { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00 };
97 static uint8_t scsi_start_unit[] = { 0x1b, 0x00, 0x00, 0x00, 0x01, 0x00 };
98 static uint8_t scsi_stop_unit[] = { 0x1b, 0x00, 0x00, 0x00, 0x02, 0x00 };
99 static uint8_t scsi_ztestor_eject[] =   { 0x85, 0x01, 0x01, 0x01, 0x18, 0x01,
100 					  0x01, 0x01, 0x01, 0x01, 0x00, 0x00 };
101 static uint8_t scsi_cmotech_eject[] =   { 0xff, 0x52, 0x44, 0x45, 0x56, 0x43,
102 					  0x48, 0x47 };
103 static uint8_t scsi_huawei_eject[] =	{ 0x11, 0x06, 0x00, 0x00, 0x00, 0x00,
104 					  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
105 					  0x00, 0x00, 0x00, 0x00 };
106 static uint8_t scsi_huawei_eject2[] =	{ 0x11, 0x06, 0x20, 0x00, 0x00, 0x01,
107 					  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
108 					  0x00, 0x00, 0x00, 0x00 };
109 static uint8_t scsi_huawei_eject3[] =	{ 0x11, 0x06, 0x20, 0x00, 0x00, 0x01,
110 					  0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
111 					  0x00, 0x00, 0x00, 0x00 };
112 static uint8_t scsi_huawei_eject4[] =	{ 0x11, 0x06, 0x30, 0x00, 0x00, 0x00,
113 					  0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
114 					  0x00, 0x00, 0x00, 0x00 };
115 static uint8_t scsi_tct_eject[] =	{ 0x06, 0xf5, 0x04, 0x02, 0x52, 0x70 };
116 static uint8_t scsi_sync_cache[] =	{ 0x35, 0x00, 0x00, 0x00, 0x00, 0x00,
117 					  0x00, 0x00, 0x00, 0x00 };
118 static uint8_t scsi_request_sense[] =	{ 0x03, 0x00, 0x00, 0x00, 0x12, 0x00,
119 					  0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
120 static uint8_t scsi_read_capacity[] =	{ 0x25, 0x00, 0x00, 0x00, 0x00, 0x00,
121 					  0x00, 0x00, 0x00, 0x00 };
122 static uint8_t scsi_prevent_removal[] =	{ 0x1e, 0, 0, 0, 1, 0 };
123 static uint8_t scsi_allow_removal[] =	{ 0x1e, 0, 0, 0, 0, 0 };
124 
125 #ifndef USB_MSCTEST_BULK_SIZE
126 #define	USB_MSCTEST_BULK_SIZE	64	/* dummy */
127 #endif
128 
129 #define	ERR_CSW_FAILED		-1
130 
131 /* Command Block Wrapper */
132 struct bbb_cbw {
133 	uDWord	dCBWSignature;
134 #define	CBWSIGNATURE	0x43425355
135 	uDWord	dCBWTag;
136 	uDWord	dCBWDataTransferLength;
137 	uByte	bCBWFlags;
138 #define	CBWFLAGS_OUT	0x00
139 #define	CBWFLAGS_IN	0x80
140 	uByte	bCBWLUN;
141 	uByte	bCDBLength;
142 #define	CBWCDBLENGTH	16
143 	uByte	CBWCDB[CBWCDBLENGTH];
144 } __packed;
145 
146 /* Command Status Wrapper */
147 struct bbb_csw {
148 	uDWord	dCSWSignature;
149 #define	CSWSIGNATURE	0x53425355
150 	uDWord	dCSWTag;
151 	uDWord	dCSWDataResidue;
152 	uByte	bCSWStatus;
153 #define	CSWSTATUS_GOOD	0x0
154 #define	CSWSTATUS_FAILED	0x1
155 #define	CSWSTATUS_PHASE	0x2
156 } __packed;
157 
158 struct bbb_transfer {
159 	struct mtx mtx;
160 	struct cv cv;
161 	struct bbb_cbw *cbw;
162 	struct bbb_csw *csw;
163 
164 	struct usb_xfer *xfer[ST_MAX];
165 
166 	uint8_t *data_ptr;
167 
168 	usb_size_t data_len;		/* bytes */
169 	usb_size_t data_rem;		/* bytes */
170 	usb_timeout_t data_timeout;	/* ms */
171 	usb_frlength_t actlen;		/* bytes */
172 	usb_frlength_t buffer_size;    	/* bytes */
173 
174 	uint8_t	cmd_len;		/* bytes */
175 	uint8_t	dir;
176 	uint8_t	lun;
177 	uint8_t	state;
178 	uint8_t	status_try;
179 	int	error;
180 
181 	uint8_t	*buffer;
182 };
183 
184 static usb_callback_t bbb_command_callback;
185 static usb_callback_t bbb_data_read_callback;
186 static usb_callback_t bbb_data_rd_cs_callback;
187 static usb_callback_t bbb_data_write_callback;
188 static usb_callback_t bbb_data_wr_cs_callback;
189 static usb_callback_t bbb_status_callback;
190 static usb_callback_t bbb_raw_write_callback;
191 
192 static void	bbb_done(struct bbb_transfer *, int);
193 static void	bbb_transfer_start(struct bbb_transfer *, uint8_t);
194 static void	bbb_data_clear_stall_callback(struct usb_xfer *, uint8_t,
195 		    uint8_t);
196 static int	bbb_command_start(struct bbb_transfer *, uint8_t, uint8_t,
197 		    void *, size_t, void *, size_t, usb_timeout_t);
198 static struct bbb_transfer *bbb_attach(struct usb_device *, uint8_t, uint8_t);
199 static void	bbb_detach(struct bbb_transfer *);
200 
201 static const struct usb_config bbb_config[ST_MAX] = {
202 	[ST_COMMAND] = {
203 		.type = UE_BULK,
204 		.endpoint = UE_ADDR_ANY,
205 		.direction = UE_DIR_OUT,
206 		.bufsize = sizeof(struct bbb_cbw),
207 		.callback = &bbb_command_callback,
208 		.timeout = 4 * USB_MS_HZ,	/* 4 seconds */
209 	},
210 
211 	[ST_DATA_RD] = {
212 		.type = UE_BULK,
213 		.endpoint = UE_ADDR_ANY,
214 		.direction = UE_DIR_IN,
215 		.bufsize = SCSI_MAX_LEN,
216 		.flags = {.proxy_buffer = 1,.short_xfer_ok = 1,},
217 		.callback = &bbb_data_read_callback,
218 		.timeout = 4 * USB_MS_HZ,	/* 4 seconds */
219 	},
220 
221 	[ST_DATA_RD_CS] = {
222 		.type = UE_CONTROL,
223 		.endpoint = 0x00,	/* Control pipe */
224 		.direction = UE_DIR_ANY,
225 		.bufsize = sizeof(struct usb_device_request),
226 		.callback = &bbb_data_rd_cs_callback,
227 		.timeout = 1 * USB_MS_HZ,	/* 1 second  */
228 	},
229 
230 	[ST_DATA_WR] = {
231 		.type = UE_BULK,
232 		.endpoint = UE_ADDR_ANY,
233 		.direction = UE_DIR_OUT,
234 		.bufsize = SCSI_MAX_LEN,
235 		.flags = {.ext_buffer = 1,.proxy_buffer = 1,},
236 		.callback = &bbb_data_write_callback,
237 		.timeout = 4 * USB_MS_HZ,	/* 4 seconds */
238 	},
239 
240 	[ST_DATA_WR_CS] = {
241 		.type = UE_CONTROL,
242 		.endpoint = 0x00,	/* Control pipe */
243 		.direction = UE_DIR_ANY,
244 		.bufsize = sizeof(struct usb_device_request),
245 		.callback = &bbb_data_wr_cs_callback,
246 		.timeout = 1 * USB_MS_HZ,	/* 1 second  */
247 	},
248 
249 	[ST_STATUS] = {
250 		.type = UE_BULK,
251 		.endpoint = UE_ADDR_ANY,
252 		.direction = UE_DIR_IN,
253 		.bufsize = sizeof(struct bbb_csw),
254 		.flags = {.short_xfer_ok = 1,},
255 		.callback = &bbb_status_callback,
256 		.timeout = 1 * USB_MS_HZ,	/* 1 second  */
257 	},
258 };
259 
260 static const struct usb_config bbb_raw_config[1] = {
261 	[0] = {
262 		.type = UE_BULK_INTR,
263 		.endpoint = UE_ADDR_ANY,
264 		.direction = UE_DIR_OUT,
265 		.bufsize = SCSI_MAX_LEN,
266 		.flags = {.ext_buffer = 1,.proxy_buffer = 1,},
267 		.callback = &bbb_raw_write_callback,
268 		.timeout = 1 * USB_MS_HZ,	/* 1 second */
269 	},
270 };
271 
272 static void
273 bbb_done(struct bbb_transfer *sc, int error)
274 {
275 	sc->error = error;
276 	sc->state = ST_COMMAND;
277 	sc->status_try = 1;
278 	cv_signal(&sc->cv);
279 }
280 
281 static void
282 bbb_transfer_start(struct bbb_transfer *sc, uint8_t xfer_index)
283 {
284 	sc->state = xfer_index;
285 	usbd_transfer_start(sc->xfer[xfer_index]);
286 }
287 
288 static void
289 bbb_data_clear_stall_callback(struct usb_xfer *xfer,
290     uint8_t next_xfer, uint8_t stall_xfer)
291 {
292 	struct bbb_transfer *sc = usbd_xfer_softc(xfer);
293 
294 	if (usbd_clear_stall_callback(xfer, sc->xfer[stall_xfer])) {
295 		switch (USB_GET_STATE(xfer)) {
296 		case USB_ST_SETUP:
297 		case USB_ST_TRANSFERRED:
298 			bbb_transfer_start(sc, next_xfer);
299 			break;
300 		default:
301 			bbb_done(sc, USB_ERR_STALLED);
302 			break;
303 		}
304 	}
305 }
306 
307 static void
308 bbb_command_callback(struct usb_xfer *xfer, usb_error_t error)
309 {
310 	struct bbb_transfer *sc = usbd_xfer_softc(xfer);
311 	uint32_t tag;
312 
313 	switch (USB_GET_STATE(xfer)) {
314 	case USB_ST_TRANSFERRED:
315 		bbb_transfer_start
316 		    (sc, ((sc->dir == DIR_IN) ? ST_DATA_RD :
317 		    (sc->dir == DIR_OUT) ? ST_DATA_WR :
318 		    ST_STATUS));
319 		break;
320 
321 	case USB_ST_SETUP:
322 		sc->status_try = 0;
323 		tag = UGETDW(sc->cbw->dCBWTag) + 1;
324 		USETDW(sc->cbw->dCBWSignature, CBWSIGNATURE);
325 		USETDW(sc->cbw->dCBWTag, tag);
326 		USETDW(sc->cbw->dCBWDataTransferLength, (uint32_t)sc->data_len);
327 		sc->cbw->bCBWFlags = ((sc->dir == DIR_IN) ? CBWFLAGS_IN : CBWFLAGS_OUT);
328 		sc->cbw->bCBWLUN = sc->lun;
329 		sc->cbw->bCDBLength = sc->cmd_len;
330 		if (sc->cbw->bCDBLength > sizeof(sc->cbw->CBWCDB)) {
331 			sc->cbw->bCDBLength = sizeof(sc->cbw->CBWCDB);
332 			DPRINTFN(0, "Truncating long command\n");
333 		}
334 		usbd_xfer_set_frame_len(xfer, 0,
335 		    sizeof(struct bbb_cbw));
336 		usbd_transfer_submit(xfer);
337 		break;
338 
339 	default:			/* Error */
340 		bbb_done(sc, error);
341 		break;
342 	}
343 }
344 
345 static void
346 bbb_data_read_callback(struct usb_xfer *xfer, usb_error_t error)
347 {
348 	struct bbb_transfer *sc = usbd_xfer_softc(xfer);
349 	usb_frlength_t max_bulk = usbd_xfer_max_len(xfer);
350 	int actlen, sumlen;
351 
352 	usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
353 
354 	switch (USB_GET_STATE(xfer)) {
355 	case USB_ST_TRANSFERRED:
356 		sc->data_rem -= actlen;
357 		sc->data_ptr += actlen;
358 		sc->actlen += actlen;
359 
360 		if (actlen < sumlen) {
361 			/* short transfer */
362 			sc->data_rem = 0;
363 		}
364 	case USB_ST_SETUP:
365 		DPRINTF("max_bulk=%d, data_rem=%d\n",
366 		    max_bulk, sc->data_rem);
367 
368 		if (sc->data_rem == 0) {
369 			bbb_transfer_start(sc, ST_STATUS);
370 			break;
371 		}
372 		if (max_bulk > sc->data_rem) {
373 			max_bulk = sc->data_rem;
374 		}
375 		usbd_xfer_set_timeout(xfer, sc->data_timeout);
376 		usbd_xfer_set_frame_data(xfer, 0, sc->data_ptr, max_bulk);
377 		usbd_transfer_submit(xfer);
378 		break;
379 
380 	default:			/* Error */
381 		if (error == USB_ERR_CANCELLED) {
382 			bbb_done(sc, error);
383 		} else {
384 			bbb_transfer_start(sc, ST_DATA_RD_CS);
385 		}
386 		break;
387 	}
388 }
389 
390 static void
391 bbb_data_rd_cs_callback(struct usb_xfer *xfer, usb_error_t error)
392 {
393 	bbb_data_clear_stall_callback(xfer, ST_STATUS,
394 	    ST_DATA_RD);
395 }
396 
397 static void
398 bbb_data_write_callback(struct usb_xfer *xfer, usb_error_t error)
399 {
400 	struct bbb_transfer *sc = usbd_xfer_softc(xfer);
401 	usb_frlength_t max_bulk = usbd_xfer_max_len(xfer);
402 	int actlen, sumlen;
403 
404 	usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
405 
406 	switch (USB_GET_STATE(xfer)) {
407 	case USB_ST_TRANSFERRED:
408 		sc->data_rem -= actlen;
409 		sc->data_ptr += actlen;
410 		sc->actlen += actlen;
411 
412 		if (actlen < sumlen) {
413 			/* short transfer */
414 			sc->data_rem = 0;
415 		}
416 	case USB_ST_SETUP:
417 		DPRINTF("max_bulk=%d, data_rem=%d\n",
418 		    max_bulk, sc->data_rem);
419 
420 		if (sc->data_rem == 0) {
421 			bbb_transfer_start(sc, ST_STATUS);
422 			break;
423 		}
424 		if (max_bulk > sc->data_rem) {
425 			max_bulk = sc->data_rem;
426 		}
427 		usbd_xfer_set_timeout(xfer, sc->data_timeout);
428 		usbd_xfer_set_frame_data(xfer, 0, sc->data_ptr, max_bulk);
429 		usbd_transfer_submit(xfer);
430 		break;
431 
432 	default:			/* Error */
433 		if (error == USB_ERR_CANCELLED) {
434 			bbb_done(sc, error);
435 		} else {
436 			bbb_transfer_start(sc, ST_DATA_WR_CS);
437 		}
438 		break;
439 	}
440 }
441 
442 static void
443 bbb_data_wr_cs_callback(struct usb_xfer *xfer, usb_error_t error)
444 {
445 	bbb_data_clear_stall_callback(xfer, ST_STATUS,
446 	    ST_DATA_WR);
447 }
448 
449 static void
450 bbb_status_callback(struct usb_xfer *xfer, usb_error_t error)
451 {
452 	struct bbb_transfer *sc = usbd_xfer_softc(xfer);
453 	int actlen;
454 	int sumlen;
455 
456 	usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
457 
458 	switch (USB_GET_STATE(xfer)) {
459 	case USB_ST_TRANSFERRED:
460 
461 		/* very simple status check */
462 
463 		if (actlen < (int)sizeof(struct bbb_csw)) {
464 			bbb_done(sc, USB_ERR_SHORT_XFER);
465 		} else if (sc->csw->bCSWStatus == CSWSTATUS_GOOD) {
466 			bbb_done(sc, 0);	/* success */
467 		} else {
468 			bbb_done(sc, ERR_CSW_FAILED);	/* error */
469 		}
470 		break;
471 
472 	case USB_ST_SETUP:
473 		usbd_xfer_set_frame_len(xfer, 0,
474 		    sizeof(struct bbb_csw));
475 		usbd_transfer_submit(xfer);
476 		break;
477 
478 	default:
479 		DPRINTF("Failed to read CSW: %s, try %d\n",
480 		    usbd_errstr(error), sc->status_try);
481 
482 		if (error == USB_ERR_CANCELLED || sc->status_try) {
483 			bbb_done(sc, error);
484 		} else {
485 			sc->status_try = 1;
486 			bbb_transfer_start(sc, ST_DATA_RD_CS);
487 		}
488 		break;
489 	}
490 }
491 
492 static void
493 bbb_raw_write_callback(struct usb_xfer *xfer, usb_error_t error)
494 {
495 	struct bbb_transfer *sc = usbd_xfer_softc(xfer);
496 	usb_frlength_t max_bulk = usbd_xfer_max_len(xfer);
497 	int actlen, sumlen;
498 
499 	usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
500 
501 	switch (USB_GET_STATE(xfer)) {
502 	case USB_ST_TRANSFERRED:
503 		sc->data_rem -= actlen;
504 		sc->data_ptr += actlen;
505 		sc->actlen += actlen;
506 
507 		if (actlen < sumlen) {
508 			/* short transfer */
509 			sc->data_rem = 0;
510 		}
511 	case USB_ST_SETUP:
512 		DPRINTF("max_bulk=%d, data_rem=%d\n",
513 		    max_bulk, sc->data_rem);
514 
515 		if (sc->data_rem == 0) {
516 			bbb_done(sc, 0);
517 			break;
518 		}
519 		if (max_bulk > sc->data_rem) {
520 			max_bulk = sc->data_rem;
521 		}
522 		usbd_xfer_set_timeout(xfer, sc->data_timeout);
523 		usbd_xfer_set_frame_data(xfer, 0, sc->data_ptr, max_bulk);
524 		usbd_transfer_submit(xfer);
525 		break;
526 
527 	default:			/* Error */
528 		bbb_done(sc, error);
529 		break;
530 	}
531 }
532 
533 /*------------------------------------------------------------------------*
534  *	bbb_command_start - execute a SCSI command synchronously
535  *
536  * Return values
537  * 0: Success
538  * Else: Failure
539  *------------------------------------------------------------------------*/
540 static int
541 bbb_command_start(struct bbb_transfer *sc, uint8_t dir, uint8_t lun,
542     void *data_ptr, size_t data_len, void *cmd_ptr, size_t cmd_len,
543     usb_timeout_t data_timeout)
544 {
545 	sc->lun = lun;
546 	sc->dir = data_len ? dir : DIR_NONE;
547 	sc->data_ptr = data_ptr;
548 	sc->data_len = data_len;
549 	sc->data_rem = data_len;
550 	sc->data_timeout = (data_timeout + USB_MS_HZ);
551 	sc->actlen = 0;
552 	sc->error = 0;
553 	sc->cmd_len = cmd_len;
554 	memset(&sc->cbw->CBWCDB, 0, sizeof(sc->cbw->CBWCDB));
555 	memcpy(&sc->cbw->CBWCDB, cmd_ptr, cmd_len);
556 	DPRINTFN(1, "SCSI cmd = %*D\n", (int)cmd_len, (char *)sc->cbw->CBWCDB, ":");
557 
558 	USB_MTX_LOCK(&sc->mtx);
559 	usbd_transfer_start(sc->xfer[sc->state]);
560 
561 	while (usbd_transfer_pending(sc->xfer[sc->state])) {
562 		cv_wait(&sc->cv, &sc->mtx);
563 	}
564 	USB_MTX_UNLOCK(&sc->mtx);
565 	return (sc->error);
566 }
567 
568 /*------------------------------------------------------------------------*
569  *	bbb_raw_write - write a raw BULK message synchronously
570  *
571  * Return values
572  * 0: Success
573  * Else: Failure
574  *------------------------------------------------------------------------*/
575 static int
576 bbb_raw_write(struct bbb_transfer *sc, const void *data_ptr, size_t data_len,
577     usb_timeout_t data_timeout)
578 {
579 	sc->data_ptr = __DECONST(void *, data_ptr);
580 	sc->data_len = data_len;
581 	sc->data_rem = data_len;
582 	sc->data_timeout = (data_timeout + USB_MS_HZ);
583 	sc->actlen = 0;
584 	sc->error = 0;
585 
586 	DPRINTFN(1, "BULK DATA = %*D\n", (int)data_len,
587 	    (const char *)data_ptr, ":");
588 
589 	USB_MTX_LOCK(&sc->mtx);
590 	usbd_transfer_start(sc->xfer[0]);
591 	while (usbd_transfer_pending(sc->xfer[0]))
592 		cv_wait(&sc->cv, &sc->mtx);
593 	USB_MTX_UNLOCK(&sc->mtx);
594 	return (sc->error);
595 }
596 
597 static struct bbb_transfer *
598 bbb_attach(struct usb_device *udev, uint8_t iface_index,
599     uint8_t bInterfaceClass)
600 {
601 	struct usb_interface *iface;
602 	struct usb_interface_descriptor *id;
603 	const struct usb_config *pconfig;
604 	struct bbb_transfer *sc;
605 	usb_error_t err;
606 	int nconfig;
607 
608 #if USB_HAVE_MSCTEST_DETACH
609 	uint8_t do_unlock;
610 
611 	/* Prevent re-enumeration */
612 	do_unlock = usbd_enum_lock(udev);
613 
614 	/*
615 	 * Make sure any driver which is hooked up to this interface,
616 	 * like umass is gone:
617 	 */
618 	usb_detach_device(udev, iface_index, 0);
619 
620 	if (do_unlock)
621 		usbd_enum_unlock(udev);
622 #endif
623 
624 	iface = usbd_get_iface(udev, iface_index);
625 	if (iface == NULL)
626 		return (NULL);
627 
628 	id = iface->idesc;
629 	if (id == NULL || id->bInterfaceClass != bInterfaceClass)
630 		return (NULL);
631 
632 	switch (id->bInterfaceClass) {
633 	case UICLASS_MASS:
634 		switch (id->bInterfaceSubClass) {
635 		case UISUBCLASS_SCSI:
636 		case UISUBCLASS_UFI:
637 		case UISUBCLASS_SFF8020I:
638 		case UISUBCLASS_SFF8070I:
639 			break;
640 		default:
641 			return (NULL);
642 		}
643 		switch (id->bInterfaceProtocol) {
644 		case UIPROTO_MASS_BBB_OLD:
645 		case UIPROTO_MASS_BBB:
646 			break;
647 		default:
648 			return (NULL);
649 		}
650 		pconfig = bbb_config;
651 		nconfig = ST_MAX;
652 		break;
653 	case UICLASS_HID:
654 		switch (id->bInterfaceSubClass) {
655 		case 0:
656 			break;
657 		default:
658 			return (NULL);
659 		}
660 		pconfig = bbb_raw_config;
661 		nconfig = 1;
662 		break;
663 	default:
664 		return (NULL);
665 	}
666 
667 	sc = malloc(sizeof(*sc), M_USB, M_WAITOK | M_ZERO);
668 	mtx_init(&sc->mtx, "USB autoinstall", NULL, MTX_DEF);
669 	cv_init(&sc->cv, "WBBB");
670 
671 	err = usbd_transfer_setup(udev, &iface_index, sc->xfer, pconfig,
672 	    nconfig, sc, &sc->mtx);
673 	if (err) {
674 		bbb_detach(sc);
675 		return (NULL);
676 	}
677 	switch (id->bInterfaceClass) {
678 	case UICLASS_MASS:
679 		/* store pointer to DMA buffers */
680 		sc->buffer = usbd_xfer_get_frame_buffer(
681 		    sc->xfer[ST_DATA_RD], 0);
682 		sc->buffer_size =
683 		    usbd_xfer_max_len(sc->xfer[ST_DATA_RD]);
684 		sc->cbw = usbd_xfer_get_frame_buffer(
685 		    sc->xfer[ST_COMMAND], 0);
686 		sc->csw = usbd_xfer_get_frame_buffer(
687 		    sc->xfer[ST_STATUS], 0);
688 		break;
689 	default:
690 		break;
691 	}
692 	return (sc);
693 }
694 
695 static void
696 bbb_detach(struct bbb_transfer *sc)
697 {
698 	usbd_transfer_unsetup(sc->xfer, ST_MAX);
699 	mtx_destroy(&sc->mtx);
700 	cv_destroy(&sc->cv);
701 	free(sc, M_USB);
702 }
703 
704 /*------------------------------------------------------------------------*
705  *	usb_iface_is_cdrom
706  *
707  * Return values:
708  * 1: This interface is an auto install disk (CD-ROM)
709  * 0: Not an auto install disk.
710  *------------------------------------------------------------------------*/
711 int
712 usb_iface_is_cdrom(struct usb_device *udev, uint8_t iface_index)
713 {
714 	struct bbb_transfer *sc;
715 	uint8_t timeout;
716 	uint8_t is_cdrom;
717 	uint8_t sid_type;
718 	int err;
719 
720 	sc = bbb_attach(udev, iface_index, UICLASS_MASS);
721 	if (sc == NULL)
722 		return (0);
723 
724 	is_cdrom = 0;
725 	timeout = 4;	/* tries */
726 	while (--timeout) {
727 		err = bbb_command_start(sc, DIR_IN, 0, sc->buffer,
728 		    SCSI_INQ_LEN, &scsi_inquiry, sizeof(scsi_inquiry),
729 		    USB_MS_HZ);
730 
731 		if (err == 0 && sc->actlen > 0) {
732 			sid_type = sc->buffer[0] & 0x1F;
733 			if (sid_type == 0x05)
734 				is_cdrom = 1;
735 			break;
736 		} else if (err != ERR_CSW_FAILED)
737 			break;	/* non retryable error */
738 		usb_pause_mtx(NULL, hz);
739 	}
740 	bbb_detach(sc);
741 	return (is_cdrom);
742 }
743 
744 static uint8_t
745 usb_msc_get_max_lun(struct usb_device *udev, uint8_t iface_index)
746 {
747 	struct usb_device_request req;
748 	usb_error_t err;
749 	uint8_t buf = 0;
750 
751 	/* The Get Max Lun command is a class-specific request. */
752 	req.bmRequestType = UT_READ_CLASS_INTERFACE;
753 	req.bRequest = 0xFE;		/* GET_MAX_LUN */
754 	USETW(req.wValue, 0);
755 	req.wIndex[0] = iface_index;
756 	req.wIndex[1] = 0;
757 	USETW(req.wLength, 1);
758 
759 	err = usbd_do_request(udev, NULL, &req, &buf);
760 	if (err)
761 		buf = 0;
762 
763 	return (buf);
764 }
765 
766 #define	USB_ADD_QUIRK(udev, any, which) do { \
767 	if (usb_get_manufacturer(udev) != NULL && usb_get_product(udev) != NULL) { \
768 		DPRINTFN(0, #which " set for USB mass storage device %s %s (0x%04x:0x%04x)\n", \
769 			usb_get_manufacturer(udev), \
770 			usb_get_product(udev), \
771 			UGETW(udev->ddesc.idVendor), \
772 			UGETW(udev->ddesc.idProduct)); \
773 	} else { \
774 		DPRINTFN(0, #which " set for USB mass storage device, 0x%04x:0x%04x\n", \
775 			UGETW(udev->ddesc.idVendor), \
776 			UGETW(udev->ddesc.idProduct)); \
777 	} \
778 	usbd_add_dynamic_quirk(udev, which); \
779 	any = 1; \
780 } while (0)
781 
782 usb_error_t
783 usb_msc_auto_quirk(struct usb_device *udev, uint8_t iface_index,
784     const struct usb_attach_arg *uaa)
785 {
786 	struct bbb_transfer *sc;
787 	uint8_t timeout;
788 	uint8_t is_no_direct;
789 	uint8_t sid_type;
790 	uint8_t any_quirk;
791 	int err;
792 
793 	sc = bbb_attach(udev, iface_index, UICLASS_MASS);
794 	if (sc == NULL)
795 		return (0);
796 
797 	any_quirk = 0;
798 
799 	/*
800 	 * Some devices need a delay after that the configuration
801 	 * value is set to function properly:
802 	 */
803 	usb_pause_mtx(NULL, hz);
804 
805 	if (usb_test_quirk(uaa, UQ_MSC_NO_GETMAXLUN) == 0 &&
806 	    usb_msc_get_max_lun(udev, iface_index) == 0) {
807 		DPRINTF("Device has only got one LUN.\n");
808 		USB_ADD_QUIRK(udev, any_quirk, UQ_MSC_NO_GETMAXLUN);
809 	}
810 
811 	is_no_direct = 1;
812 	for (timeout = 4; timeout != 0; timeout--) {
813 		err = bbb_command_start(sc, DIR_IN, 0, sc->buffer,
814 		    SCSI_INQ_LEN, &scsi_inquiry, sizeof(scsi_inquiry),
815 		    USB_MS_HZ);
816 
817 		if (err == 0 && sc->actlen > 0) {
818 			sid_type = sc->buffer[0] & 0x1F;
819 			if (sid_type == 0x00)
820 				is_no_direct = 0;
821 			break;
822 		} else if (err != ERR_CSW_FAILED) {
823 			DPRINTF("Device is not responding "
824 			    "properly to SCSI INQUIRY command.\n");
825 			goto error;	/* non retryable error */
826 		}
827 		usb_pause_mtx(NULL, hz);
828 	}
829 
830 	if (is_no_direct) {
831 		DPRINTF("Device is not direct access.\n");
832 		goto done;
833 	}
834 
835 	if (usb_test_quirk(uaa, UQ_MSC_NO_TEST_UNIT_READY) == 0) {
836 		err = bbb_command_start(sc, DIR_NONE, 0, NULL, 0,
837 		    &scsi_test_unit_ready, sizeof(scsi_test_unit_ready),
838 		    USB_MS_HZ);
839 
840 		if (err != 0) {
841 			if (err != ERR_CSW_FAILED)
842 				goto error;
843 			USB_ADD_QUIRK(udev, any_quirk, UQ_MSC_NO_TEST_UNIT_READY);
844 		}
845 	}
846 
847 	if (usb_test_quirk(uaa, UQ_MSC_NO_PREVENT_ALLOW) == 0) {
848 		err = bbb_command_start(sc, DIR_NONE, 0, NULL, 0,
849 		    &scsi_prevent_removal, sizeof(scsi_prevent_removal),
850 		    USB_MS_HZ);
851 
852 		if (err == 0) {
853 			err = bbb_command_start(sc, DIR_NONE, 0, NULL, 0,
854 			    &scsi_allow_removal, sizeof(scsi_allow_removal),
855 			    USB_MS_HZ);
856 		}
857 
858 		if (err != 0) {
859 			if (err != ERR_CSW_FAILED)
860 				goto error;
861 			USB_ADD_QUIRK(udev, any_quirk, UQ_MSC_NO_PREVENT_ALLOW);
862 		}
863 	}
864 
865 	timeout = 1;
866 
867 retry_sync_cache:
868 	err = bbb_command_start(sc, DIR_NONE, 0, NULL, 0,
869 	    &scsi_sync_cache, sizeof(scsi_sync_cache),
870 	    USB_MS_HZ);
871 
872 	if (err != 0) {
873 		if (err != ERR_CSW_FAILED)
874 			goto error;
875 
876 		USB_ADD_QUIRK(udev, any_quirk, UQ_MSC_NO_SYNC_CACHE);
877 	} else {
878 		/*
879 		 * Certain Kingston memory sticks fail the first
880 		 * read capacity after a synchronize cache command
881 		 * has been issued. Disable the synchronize cache
882 		 * command for such devices.
883 		 */
884 
885 		err = bbb_command_start(sc, DIR_IN, 0, sc->buffer, 8,
886 		    &scsi_read_capacity, sizeof(scsi_read_capacity),
887 		    USB_MS_HZ);
888 
889 		if (err != 0) {
890 			if (err != ERR_CSW_FAILED)
891 				goto error;
892 
893 			err = bbb_command_start(sc, DIR_IN, 0, sc->buffer, 8,
894 			    &scsi_read_capacity, sizeof(scsi_read_capacity),
895 			    USB_MS_HZ);
896 
897 			if (err == 0) {
898 				if (timeout--)
899 					goto retry_sync_cache;
900 
901 				USB_ADD_QUIRK(udev, any_quirk, UQ_MSC_NO_SYNC_CACHE);
902 			} else {
903 				if (err != ERR_CSW_FAILED)
904 					goto error;
905 			}
906 		}
907 	}
908 
909 	if (usb_test_quirk(uaa, UQ_MSC_NO_START_STOP) == 0) {
910 		err = bbb_command_start(sc, DIR_NONE, 0, NULL, 0,
911 		    &scsi_start_unit, sizeof(scsi_start_unit),
912 		    USB_MS_HZ);
913 
914 		if (err != 0) {
915 			if (err != ERR_CSW_FAILED)
916 				goto error;
917 			USB_ADD_QUIRK(udev, any_quirk, UQ_MSC_NO_START_STOP);
918 		}
919 	}
920 
921 	/* clear sense status of any failed commands on the device */
922 
923 	err = bbb_command_start(sc, DIR_IN, 0, sc->buffer,
924 	    SCSI_INQ_LEN, &scsi_inquiry, sizeof(scsi_inquiry),
925 	    USB_MS_HZ);
926 
927 	DPRINTF("Inquiry = %d\n", err);
928 
929 	if (err != 0) {
930 		if (err != ERR_CSW_FAILED)
931 			goto error;
932 	}
933 
934 	err = bbb_command_start(sc, DIR_IN, 0, sc->buffer,
935 	    SCSI_SENSE_LEN, &scsi_request_sense,
936 	    sizeof(scsi_request_sense), USB_MS_HZ);
937 
938 	DPRINTF("Request sense = %d\n", err);
939 
940 	if (err != 0) {
941 		if (err != ERR_CSW_FAILED)
942 			goto error;
943 	}
944 	goto done;
945 
946 error:
947 	/* Apply most quirks */
948 	USB_ADD_QUIRK(udev, any_quirk, UQ_MSC_NO_SYNC_CACHE);
949 	USB_ADD_QUIRK(udev, any_quirk, UQ_MSC_NO_PREVENT_ALLOW);
950 	USB_ADD_QUIRK(udev, any_quirk, UQ_MSC_NO_TEST_UNIT_READY);
951 	USB_ADD_QUIRK(udev, any_quirk, UQ_MSC_NO_START_STOP);
952 done:
953 	bbb_detach(sc);
954 
955 	if (any_quirk) {
956 		/* Unconfigure device, to clear software data toggle. */
957 		usbd_set_config_index(udev, USB_UNCONFIG_INDEX);
958 
959 		/* Need to re-enumerate the device to clear its state. */
960 		usbd_req_re_enumerate(udev, NULL);
961 		return (USB_ERR_STALLED);
962 	}
963 
964 	/* No quirks were added, continue as usual. */
965 	return (0);
966 }
967 
968 usb_error_t
969 usb_msc_eject(struct usb_device *udev, uint8_t iface_index, int method)
970 {
971 	struct bbb_transfer *sc;
972 	usb_error_t err __usbdebug_used;
973 
974 	sc = bbb_attach(udev, iface_index, UICLASS_MASS);
975 	if (sc == NULL)
976 		return (USB_ERR_INVAL);
977 
978 	switch (method) {
979 	case MSC_EJECT_STOPUNIT:
980 		err = bbb_command_start(sc, DIR_IN, 0, NULL, 0,
981 		    &scsi_test_unit_ready, sizeof(scsi_test_unit_ready),
982 		    USB_MS_HZ);
983 		DPRINTF("Test unit ready status: %s\n", usbd_errstr(err));
984 		err = bbb_command_start(sc, DIR_IN, 0, NULL, 0,
985 		    &scsi_stop_unit, sizeof(scsi_stop_unit),
986 		    USB_MS_HZ);
987 		break;
988 	case MSC_EJECT_REZERO:
989 		err = bbb_command_start(sc, DIR_IN, 0, NULL, 0,
990 		    &scsi_rezero_init, sizeof(scsi_rezero_init),
991 		    USB_MS_HZ);
992 		break;
993 	case MSC_EJECT_ZTESTOR:
994 		err = bbb_command_start(sc, DIR_IN, 0, NULL, 0,
995 		    &scsi_ztestor_eject, sizeof(scsi_ztestor_eject),
996 		    USB_MS_HZ);
997 		break;
998 	case MSC_EJECT_CMOTECH:
999 		err = bbb_command_start(sc, DIR_IN, 0, NULL, 0,
1000 		    &scsi_cmotech_eject, sizeof(scsi_cmotech_eject),
1001 		    USB_MS_HZ);
1002 		break;
1003 	case MSC_EJECT_HUAWEI:
1004 		err = bbb_command_start(sc, DIR_IN, 0, NULL, 0,
1005 		    &scsi_huawei_eject, sizeof(scsi_huawei_eject),
1006 		    USB_MS_HZ);
1007 		break;
1008 	case MSC_EJECT_HUAWEI2:
1009 		err = bbb_command_start(sc, DIR_IN, 0, NULL, 0,
1010 		    &scsi_huawei_eject2, sizeof(scsi_huawei_eject2),
1011 		    USB_MS_HZ);
1012 		break;
1013 	case MSC_EJECT_HUAWEI3:
1014 		err = bbb_command_start(sc, DIR_IN, 0, NULL, 0,
1015 		    &scsi_huawei_eject3, sizeof(scsi_huawei_eject3),
1016 		    USB_MS_HZ);
1017 		break;
1018 	case MSC_EJECT_HUAWEI4:
1019 		err = bbb_command_start(sc, DIR_IN, 0, NULL, 0,
1020 		    &scsi_huawei_eject4, sizeof(scsi_huawei_eject4),
1021 		    USB_MS_HZ);
1022 		break;
1023 	case MSC_EJECT_TCT:
1024 		/*
1025 		 * TCTMobile needs DIR_IN flag. To get it, we
1026 		 * supply a dummy data with the command.
1027 		 */
1028 		err = bbb_command_start(sc, DIR_IN, 0, sc->buffer,
1029 		    sc->buffer_size, &scsi_tct_eject,
1030 		    sizeof(scsi_tct_eject), USB_MS_HZ);
1031 		break;
1032 	default:
1033 		DPRINTF("Unknown eject method (%d)\n", method);
1034 		bbb_detach(sc);
1035 		return (USB_ERR_INVAL);
1036 	}
1037 
1038 	DPRINTF("Eject CD command status: %s\n", usbd_errstr(err));
1039 
1040 	bbb_detach(sc);
1041 	return (0);
1042 }
1043 
1044 usb_error_t
1045 usb_dymo_eject(struct usb_device *udev, uint8_t iface_index)
1046 {
1047 	static const uint8_t data[3] = { 0x1b, 0x5a, 0x01 };
1048 	struct bbb_transfer *sc;
1049 	usb_error_t err;
1050 
1051 	sc = bbb_attach(udev, iface_index, UICLASS_HID);
1052 	if (sc == NULL)
1053 		return (USB_ERR_INVAL);
1054 	err = bbb_raw_write(sc, data, sizeof(data), USB_MS_HZ);
1055 	bbb_detach(sc);
1056 	return (err);
1057 }
1058 
1059 usb_error_t
1060 usb_msc_read_10(struct usb_device *udev, uint8_t iface_index,
1061     uint32_t lba, uint32_t blocks, void *buffer)
1062 {
1063 	struct bbb_transfer *sc;
1064 	uint8_t cmd[10];
1065 	usb_error_t err;
1066 
1067 	cmd[0] = 0x28;		/* READ_10 */
1068 	cmd[1] = 0;
1069 	cmd[2] = lba >> 24;
1070 	cmd[3] = lba >> 16;
1071 	cmd[4] = lba >> 8;
1072 	cmd[5] = lba >> 0;
1073 	cmd[6] = 0;
1074 	cmd[7] = blocks >> 8;
1075 	cmd[8] = blocks;
1076 	cmd[9] = 0;
1077 
1078 	sc = bbb_attach(udev, iface_index, UICLASS_MASS);
1079 	if (sc == NULL)
1080 		return (USB_ERR_INVAL);
1081 
1082 	err = bbb_command_start(sc, DIR_IN, 0, buffer,
1083 	    blocks * SCSI_FIXED_BLOCK_SIZE, cmd, 10, USB_MS_HZ);
1084 
1085 	bbb_detach(sc);
1086 
1087 	return (err);
1088 }
1089 
1090 usb_error_t
1091 usb_msc_write_10(struct usb_device *udev, uint8_t iface_index,
1092     uint32_t lba, uint32_t blocks, void *buffer)
1093 {
1094 	struct bbb_transfer *sc;
1095 	uint8_t cmd[10];
1096 	usb_error_t err;
1097 
1098 	cmd[0] = 0x2a;		/* WRITE_10 */
1099 	cmd[1] = 0;
1100 	cmd[2] = lba >> 24;
1101 	cmd[3] = lba >> 16;
1102 	cmd[4] = lba >> 8;
1103 	cmd[5] = lba >> 0;
1104 	cmd[6] = 0;
1105 	cmd[7] = blocks >> 8;
1106 	cmd[8] = blocks;
1107 	cmd[9] = 0;
1108 
1109 	sc = bbb_attach(udev, iface_index, UICLASS_MASS);
1110 	if (sc == NULL)
1111 		return (USB_ERR_INVAL);
1112 
1113 	err = bbb_command_start(sc, DIR_OUT, 0, buffer,
1114 	    blocks * SCSI_FIXED_BLOCK_SIZE, cmd, 10, USB_MS_HZ);
1115 
1116 	bbb_detach(sc);
1117 
1118 	return (err);
1119 }
1120 
1121 usb_error_t
1122 usb_msc_read_capacity(struct usb_device *udev, uint8_t iface_index,
1123     uint32_t *lba_last, uint32_t *block_size)
1124 {
1125 	struct bbb_transfer *sc;
1126 	usb_error_t err;
1127 
1128 	sc = bbb_attach(udev, iface_index, UICLASS_MASS);
1129 	if (sc == NULL)
1130 		return (USB_ERR_INVAL);
1131 
1132 	err = bbb_command_start(sc, DIR_IN, 0, sc->buffer, 8,
1133 	    &scsi_read_capacity, sizeof(scsi_read_capacity),
1134 	    USB_MS_HZ);
1135 
1136 	*lba_last =
1137 	    (sc->buffer[0] << 24) |
1138 	    (sc->buffer[1] << 16) |
1139 	    (sc->buffer[2] << 8) |
1140 	    (sc->buffer[3]);
1141 
1142 	*block_size =
1143 	    (sc->buffer[4] << 24) |
1144 	    (sc->buffer[5] << 16) |
1145 	    (sc->buffer[6] << 8) |
1146 	    (sc->buffer[7]);
1147 
1148 	/* we currently only support one block size */
1149 	if (*block_size != SCSI_FIXED_BLOCK_SIZE)
1150 		err = USB_ERR_INVAL;
1151 
1152 	bbb_detach(sc);
1153 
1154 	return (err);
1155 }
1156